CN113626847A - Data processing method and device - Google Patents
Data processing method and device Download PDFInfo
- Publication number
- CN113626847A CN113626847A CN202110972372.0A CN202110972372A CN113626847A CN 113626847 A CN113626847 A CN 113626847A CN 202110972372 A CN202110972372 A CN 202110972372A CN 113626847 A CN113626847 A CN 113626847A
- Authority
- CN
- China
- Prior art keywords
- field
- return value
- display
- data
- query request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title abstract description 15
- 238000012545 processing Methods 0.000 claims abstract description 47
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000002372 labelling Methods 0.000 claims description 3
- 238000000586 desensitisation Methods 0.000 abstract description 32
- 238000011161 development Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Abstract
The invention discloses a data processing method and device, and relates to the technical field of computers. One embodiment of the method comprises: receiving a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context; analyzing the encryption and decryption context to obtain a display identifier; calling the query interface to acquire an interface return value aiming at the data query request; and determining a query result corresponding to the data query request according to the display identifier and the interface return value. The implementation method realizes desensitization display or plaintext display of the data without modifying or adding a new query method, does not need to modify a large number of source codes of the service, improves the development efficiency, and can realize efficient desensitization processing and plaintext display of the data.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for data processing.
Background
Information security is highly valued, and it is of great significance to strengthen the protection of sensitive data information. The sensitive data can be protected by desensitizing the sensitive data.
At present, a protection scheme for sensitive data is mainly based on modification of a source code, but in a micro service system, the acquisition method of each module for sensitive data is different, the interaction control of each module is complex, the method is complex to implement, and if desensitization processing is performed on sensitive data by modifying the source code, the system modification amount is large, and the efficiency is low.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for data processing, which can implement fast desensitization and plaintext display of sensitive information of an inquiry interface without modifying or adding an inquiry method.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a data processing method including:
receiving a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context;
analyzing the encryption and decryption context to obtain a display identifier;
calling the query interface to acquire an interface return value aiming at the data query request;
and determining a query result corresponding to the data query request according to the display identifier and the interface return value.
Optionally, the displaying the identifier indicates desensitization displaying, and determining an inquiry result corresponding to the data inquiry request according to the display identifier and the interface return value includes:
for any field in the interface return value, judging whether the field has sensitive identification; if yes, carrying out encryption processing on any field to obtain a field result corresponding to any field; otherwise, taking any field as a field result corresponding to the any field; taking field results corresponding to all the fields as query results corresponding to the data query request;
or the display identifier indicates a plaintext display; determining a query result corresponding to the data query request according to the display identifier and the interface return value, wherein the query result comprises: and taking the interface return value as a query result corresponding to the data query request.
Optionally, before determining a query result corresponding to the data query request according to the display identifier and the interface return value, including;
and identifying a field containing sensitive information in the interface return value according to a preset sensitive information reference, and marking a sensitive identification for the field containing the sensitive information.
Optionally, determining whether any of the fields has a sensitive identifier includes:
judging whether the data type of the interface return value is a basic data type;
if yes, directly judging whether any field in the interface return value has a sensitive identification;
if not, recursively analyzing the interface return value to judge whether any field in the interface return value has a sensitive identifier.
Optionally, the determining, by the display identifier indicating a plaintext display range and according to the display identifier and the interface return value, a query result corresponding to the data query request includes:
for any field in the interface return value, judging whether the field is in the plaintext display range;
if yes, taking any field as a field result corresponding to the any field; otherwise, judging whether any field has a sensitive identification; if yes, carrying out encryption processing on any field to obtain a field result corresponding to any field; and if not, taking any field as a field result corresponding to the any field, and taking field results corresponding to all the fields as query results corresponding to the data query request.
Optionally, the display identifier further includes a group identifier, and determines, according to the display identifier and the interface return value, an inquiry result corresponding to the data inquiry request, further including:
and grouping field results corresponding to each field in the plaintext display range according to the grouping identification.
Optionally, before determining the query result corresponding to the data query request according to the display identifier and the interface return value, the method includes: and grouping fields in the interface return value according to a preset grouping rule, and labeling grouping identifications for the fields.
Another aspect of the embodiments of the present invention provides a data processing apparatus, including:
the acquisition module receives a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context;
the analysis module is used for analyzing the encryption and decryption context to obtain a display identifier;
the calling module is used for calling the query interface and acquiring an interface return value aiming at the data query request;
and the determining module is used for determining a query result corresponding to the data query request according to the display identifier and the interface return value.
According to another aspect of the embodiments of the present invention, there is provided an electronic device for data processing, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the data processing method provided by the present invention.
According to a further aspect of the embodiments of the present invention, there is provided a computer-readable medium on which a computer program is stored, the program, when executed by a processor, implementing the method of data processing provided by the present invention.
One embodiment of the above invention has the following advantages or benefits: according to the data processing method provided by the embodiment of the invention, the data query request aiming at the query interface is received, the encryption and decryption context in the data query request is analyzed, the display identifier is obtained, and the query result corresponding to the data query request is determined according to the display identifier and the interface return value obtained by calling the query interface. The embodiment of the invention carries out desensitization processing or plaintext display processing on the interface return value by acquiring the display identifier from the encryption and decryption context, realizes desensitization display or plaintext display of data under the condition of not modifying or newly adding an inquiry method, does not need to greatly modify source codes of services, improves development efficiency, and can realize efficient desensitization processing and plaintext display of the data.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a main flow of a method of data processing according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a main flow of another method of data processing according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a main flow of a further method of processing data according to an embodiment of the invention;
FIG. 4 is a flow chart illustrating a method of data processing according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of the main blocks of a data processing apparatus according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
With the improvement of the safety and the importance of the information, the protection level of the sensitive data is increasingly important, but the sensitive information needs to be modified more complicated in the later period and the code modification amount is larger due to the fact that the protection degree of the sensitive information in the initial period of system construction is not enough, and particularly in a micro-service system, the modules are different in the acquisition of the sensitive data. For example, in the e-commerce field, when a management terminal checks orders in batches, order microservices return desensitized order data to ensure the safety of user information; when a management terminal delivers goods, clear text information of a receiver needs to be acquired, order data of the clear text is returned by order microservice, and when different modules call query interfaces, in order to meet the requirements of different modules, the data processing method provided by the embodiment of the invention can quickly desensitize sensitive information and display the clear text, is convenient and universal, and does not need to greatly modify source codes.
Fig. 1 is a schematic diagram of a main flow of a data processing method according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S101: receiving a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context;
step S102: analyzing the encryption and decryption context to obtain a display identifier;
step S103: calling a query interface to obtain an interface return value aiming at the data query request;
step S104: and determining a query result corresponding to the data query request according to the display identifier and the interface return value.
In the embodiment of the invention, a data query request of a requester for a query interface is received, the data query request comprises an encryption and decryption context, and the display identifier for the data query request can be acquired by analyzing the encryption and decryption context.
In an embodiment of the present invention, the display identifier may indicate desensitization display or clear text display, the display identifier indicates desensitization display when a data query request needs to obtain an encrypted interface return value, and the display identifier indicates clear text display when a data query request needs to obtain clear text for certain fields. When the display identification in the encryption/decryption context does not indicate a plaintext display or a desensitized display, the desensitized display is defaulted. Optionally, the display mode may also indicate a group identifier, for example, a group identifier indicating a plaintext display range.
Optionally, before step S104, the method includes: and identifying the field containing the sensitive information in the interface return value according to the preset sensitive information reference, and marking a sensitive identification for the field containing the sensitive information.
In the embodiment of the invention, when the value of the field contains sensitive information, the safety of the information is related, the sensitive information can be determined by presetting a sensitive information reference to determine the field containing the sensitive information, the sensitive information comprises a basic type and a self-defined type, the basic type can be the sensitive information specified by a standard, such as a name, a mobile phone number, an identity card number, a bank card number and the like, the self-defined type can be the sensitive information set according to an industry or business rule, such as a receiver address, a sender address, commodity information and the like in a shipping bill, and flexible configuration is realized. According to the preset sensitive information reference, a field containing sensitive information can be determined, then the field containing the sensitive information is identified from the interface return value, and a sensitive identification is marked for the field containing the sensitive information. Then, after a certain field is identified to have a sensitive identifier, the field can be determined as a field containing sensitive information, so that when desensitized display is performed subsequently, desensitization processing is performed on the field having the sensitive identifier.
In the embodiment of the invention, the sensitive identification is marked for the field containing the sensitive information, and the standard Annotation can be encapsulated by adding an Annotation configuration in the query interface, so that the usability is increased.
As shown in fig. 2, in an alternative implementation manner of the embodiment of the present invention, the displaying the indication indicates desensitization displaying, and step S104 includes:
step S201: for any field in the interface return value, judging whether any field has a sensitive identifier, if so, executing step S202, otherwise, executing step S203;
step S202: encrypting any field to obtain a field result corresponding to any field;
step S203: taking any field as a field result corresponding to any field;
step S204: and taking the field results corresponding to all the fields as the query results corresponding to the data query request.
When the display identification indicates desensitization display, judging whether any field in the interface return value has a sensitive identification, if so, encrypting the field with the sensitive identification according to a preset encryption rule to obtain a field result corresponding to the field; and if the interface return value does not have the sensitive identification, directly displaying the field result in a plaintext mode, and then taking the field result displayed in the field and plaintext modes after the encryption processing, namely the field result corresponding to all the fields in the interface return value, as a query result.
In another implementation of the embodiment of the present invention, the display identifier indicates a plaintext display; step S104, comprising: and taking the interface return value as a query result corresponding to the data query request. And directly taking the obtained interface return value as a query result, namely displaying all fields in the interface return value in a clear text.
In an alternative embodiment, determining whether any field has a sensitive identifier includes:
judging whether the data type of the interface return value is a basic data type;
if yes, directly judging whether any field in the interface return value has a sensitive identification;
if not, the interface return value is recursively traversed to judge whether any field in the interface return value has the sensitive identification.
In the embodiment of the present invention, when determining whether any field has a sensitive identifier, the data type of the interface return value is determined first, and if the data type is a basic data type, such as String, it is directly determined whether any field in the interface return value has a sensitive identifier, and then the field having the sensitive identifier is encrypted. If the data type is not the basic data type, wherein if the data type is a set or self-defined data type, if the set data type is an Object, the interface return value is recursively analyzed, the interface return value is recursively traversed to judge whether any field in the interface return value has a sensitive identifier, and if the interface return value comprises the field with the sensitive identifier, the field with the sensitive identifier in the interface return value is encrypted. For example, the interface returns a value of an object a, where a includes a set of B, and B includes a set of C, and if A, B, C all include fields with sensitive identifiers, a is recursively resolved, and fields in A, B, C are recursively traversed to determine whether sensitive identifiers exist, so as to perform subsequent processing.
According to the embodiment of the present invention, before step S104, the method further includes: and determining a preset encryption rule of the field with the sensitive identification.
In the embodiment of the invention, before the field with the sensitive identification in the interface return value is encrypted, the preset encryption rule of the field with the sensitive identification or the field containing the sensitive information is determined, so that the determined field with the sensitive identification is encrypted according to the preset encryption rule. The encryption rules of fields with sensitive identifications are pre-configured, each encryption rule of fields with sensitive identifications can be the same or different, wherein the preset encryption rule can be a standard encryption rule or a self-defined encryption rule, the standard encryption rule can be used for encrypting sensitive information according to common industrial rules, for example, the ID card number shows the first bit and the last bit, and other bits are replaced by 'x', for example, the ID card number: 1 x 6, customized encryption rules, can encrypt sensitive information according to business requirements, e.g., can make the identification number show the first two or the last two bits, other bits are all replaced with "x", 11 x 6, can realize flexible encryption processing or desensitization processing.
The Encryption Algorithm (or desensitization Algorithm) used by the preset Encryption rule may include one or a combination of several of a Message-Digest Algorithm (MD), a truncation Algorithm, a replacement Algorithm, a Data Encryption Standard (DES) Algorithm, and the like.
In the embodiment of the invention, after the field with the sensitive identification in the interface return value is determined, the field with the sensitive identification is encrypted according to the preset encryption rule, desensitization processing of sensitive information is realized by adopting an encryption processing mode, and partial content in a field result corresponding to the field with the sensitive identification is hidden so as to protect the sensitive information.
In an optional implementation manner of the embodiment of the present invention, as shown in fig. 3, the displaying identifier indicates a plaintext displaying range, and step S104 includes:
step S301: for any field in the interface return value, judging whether any field is in a plaintext display range, if so, executing step S302, and if not, executing step S303;
step S302: taking any field as a field result corresponding to any field;
step S303: judging whether any field has a sensitive mark, if so, executing step S304, and if not, executing step S305;
step S304: encrypting any field to obtain a field result corresponding to any field;
step S305: taking any field as a field result corresponding to any field;
step S306: and taking the field results corresponding to all the fields as the query results corresponding to the data query request.
In the embodiment of the invention, when the display identifier indicates a plaintext display range, firstly, whether any field in the interface return value is in the plaintext display range is judged, if so, a field result corresponding to the field is determined, if so, the field value is displayed in plaintext, if not, whether the field has a sensitive identifier is required to be judged, and if so, the field value is encrypted according to a preset encryption rule to obtain a field result corresponding to the field; and if the field does not have the sensitive identification, directly taking the field as a field result, and then taking the field results corresponding to all the fields in the returned value according to the interface as query results corresponding to the data query request. For example, the display identifier indicates a plaintext display range, the plaintext display range is to perform plaintext display on the name and the address of the receiver, whether any field in the interface return value is within the plaintext display range is judged, then the plaintext display is performed on the values of the two fields of the name and the address of the receiver, and other fields, such as a mobile phone number of the receiver, have a sensitive identifier, perform encryption processing on the mobile phone number of the receiver, and if the name of a commodity does not have a sensitive identifier, then the name of the commodity is displayed in plaintext, so that the query result is determined.
In another optional implementation manner of the embodiment of the present invention, the displaying identifier further includes a group identifier, and step S104 further includes: and grouping field results corresponding to each field in the plaintext display range according to the grouping identification.
Optionally, before step S104, the method includes: and according to a preset grouping rule, grouping fields in the interface return value, and marking grouping identifications for the fields.
In the embodiment of the present invention, the preset grouping rule may be a self-defined grouping rule, and groups or classifies fields in the interface return value, and then labels the grouping identifier on the fields to enhance the display information displayed in the clear text, for example, three fields of a recipient name, a recipient mobile phone number, and a recipient address may be used as one group, and each field of the three fields is labeled with a grouping identifier, such as recipient grouping, so that the grouping display may be performed through the grouping identifier.
In the embodiment of the invention, when the display identifier indicates the plaintext display range and the display identifier further comprises the grouping identifier, each field in the plaintext display range in the interface return value is determined, each field is used as a field result corresponding to each field, the grouping identifier of each field is identified, and the field results corresponding to each field are grouped according to the grouping identifier of each field, so that the grouping display is realized. For example, the plaintext display range is the fields of the receiver mobile phone number, the receiver address and the receiver name, the grouping identifier is the receiver group, three fields of the receiver mobile phone number, the receiver address and the receiver name are determined from the interface return value, the grouping display is carried out according to the grouping identifier of the receiver group, and the log is recorded.
The information display method comprises the steps of displaying a plaintext display range indicated by an identifier and a grouping identifier, determining whether the information display mode in the plaintext display range is field display or grouping display, and identifying the grouping identifier configured in the plaintext display range from an interface return value if the information display mode is grouping display, so that the grouping display is realized, the information display mode is more personalized, flexible and configurable, and the practicability is better.
The data processing method of the embodiment of the invention is convenient for flexibly realizing desensitization and plaintext display of data information under the framework of a micro-service system, can meet the requirement of realizing desensitization transformation of sensitive information under the condition of less changing source codes, can support a dubbo, springclosed and jsf micro-service system, and can realize quick access so as to realize desensitization processing and plaintext display of sensitive information. The data processing method can be developed and realized based on JAVA language, Spring container, IDEA development tool and the like.
To further explain the data processing method, the data processing method shown in fig. 4 is taken as an example.
Step S401: receiving a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context;
step S402: analyzing the encryption and decryption context to obtain a display identifier;
step S403: calling a query interface to obtain an interface return value aiming at the data query request;
step S404: when the display identification indicates desensitization display, judging whether any field in the interface return value has a sensitive identification, if so, executing step S405, and if not, executing step S406;
step S405: encrypting any field to obtain a field result corresponding to any field;
step S406: taking any field as a field result corresponding to any field;
step S407: taking the field results corresponding to all the fields as query results corresponding to the data query request;
step S408: and when the display identifier indicates plaintext display, taking the interface return value as a query result corresponding to the data query request.
Step S409: when the display identifier indicates the plaintext display range, judging whether any field in the interface return value is in the plaintext display range; if yes, go to step S410, otherwise go to step S411;
step S410: taking any field as a field result corresponding to any field;
step S411: judging whether any field has a sensitive mark, if so, executing step S412; if not, go to step S413;
step S412: encrypting any field to obtain a field result corresponding to any field;
step S413: taking any field as a field result corresponding to any field;
step S414: and taking the field results corresponding to all the fields as the query results corresponding to the data query request.
According to the data processing method provided by the embodiment of the invention, the data query request aiming at the query interface is received, the encryption and decryption context in the data query request is analyzed, the display identifier is obtained, and the query result corresponding to the data query request is determined according to the display identifier and the interface return value obtained by calling the query interface. The embodiment of the invention can perform desensitization processing or plaintext display processing on the interface return value by acquiring the display identifier from the encryption and decryption context, realize desensitization or plaintext display of data under the condition of not modifying or adding a new query method, realize rapid desensitization of the data without modifying a large number of source codes, label the sensitive identifier and the grouping identifier for the field and preset encryption rules, realize flexible individualized configuration of desensitization display or plaintext display, and flexibly support service requirements.
As shown in fig. 5, another aspect of the present invention provides an apparatus 500 for data processing, including:
an obtaining module 501, configured to receive a data query request for a query interface, where the data query request includes an encryption/decryption context;
the analysis module 502 is used for analyzing the encryption and decryption context to obtain a display identifier;
the calling module 503 is configured to call the query interface to obtain an interface return value for the data query request;
the determining module 504 determines a query result corresponding to the data query request according to the display identifier and the interface return value.
In the embodiment of the present invention, the apparatus further includes a configuration module, before determining a query result corresponding to the data query request according to the display identifier and the interface return value, identifying a field containing sensitive information in the interface return value according to a preset sensitive information reference, and labeling the field containing sensitive information with a sensitive identifier.
In the embodiment of the present invention, the configuration module is further configured to group fields in the interface return value according to a preset grouping rule, and mark a grouping identifier for the fields.
In the embodiment of the present invention, the display identifier indicates desensitization display, and the determining module 504 determines, for any field in the interface return value, whether any field has a sensitive identifier; if yes, carrying out encryption processing on any field to obtain a field result corresponding to any field; otherwise, taking any field as a field result; and taking the field result corresponding to the field as the query result corresponding to the data query request.
In an embodiment of the invention, the display identifier indicates desensitization display, and the determining module 504 is configured to: and taking the interface return value as a query result corresponding to the data query request.
In the embodiment of the present invention, the display identifier indicates plaintext display, and the determining module 504 determines whether the data type of the interface return value is a basic data type; if yes, directly judging whether any field in the interface return value has a sensitive identification; if not, the interface return value is recursively traversed to judge whether any field in the interface return value has the sensitive identification.
In this embodiment of the present invention, the display identifier includes a plaintext display, and the determining module 504 is further configured to: determining display information of plaintext display, wherein the display information comprises a single field to be subjected to plaintext display; and acquiring a single field from the interface return value, and determining the value of the single field as the processed interface return value.
In this embodiment of the present invention, the display identifier includes a plaintext display, and the determining module 504 is further configured to: for any field in the interface return value, judging whether any field is in a plaintext display range; if yes, taking any field as a field result corresponding to any field; otherwise, judging whether any field has a sensitive identification; if yes, carrying out encryption processing on any field to obtain a field result corresponding to any field; and if not, taking any field as a field result, and taking the field result corresponding to the field as a query result corresponding to the data query request.
In this embodiment of the present invention, the display identifier includes a plaintext display, and the determining module 504 is further configured to: and grouping field results corresponding to each field in the plaintext display range according to the grouping identification.
In the embodiment of the present invention, the parsing module 502 may be implemented by an information security interceptor, which is a modularized component and may be a spring basic application interceptor, a dubbo information interceptor, or a spring closed application interceptor, and is used to support the implementation of distributed frameworks such as jsf, doubbbo, and spring closed.
The data processing device of the embodiment of the invention realizes desensitization of sensitive information through entity class configuration and a simple interceptor, supports encryption of sensitive information of each module and grouping display of plaintext, realizes quick desensitization of the sensitive information, can be used for transformation of historical items, does not need to modify or newly add an inquiry method, does not need to modify a large number of source codes, and improves development efficiency.
An embodiment of the present invention further provides an electronic device for data processing, including: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by one or more processors, the one or more processors implement the data processing method provided by the embodiment of the invention.
Embodiments of the present invention further provide a computer-readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for data processing provided by the embodiments of the present invention.
Fig. 6 shows an exemplary system architecture 600 of a data processing apparatus or a method of data processing to which embodiments of the invention may be applied.
As shown in fig. 6, the system architecture 600 may include a plurality of servers 601, 602, 603, 604 and a network 605. Network 605 serves as a medium for providing communication links between servers 601, 602, 603, 604. The network 605 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The servers 601, 602, 603, 604 may be servers providing various services, such as a background management server (for example only) that provides support for shopping websites browsed by users using the terminal devices. The background management server can analyze and process the received data such as the information inquiry request and the like, and feed back the corresponding data to the terminal equipment.
It should be noted that the data processing method provided by the embodiment of the present invention is generally executed by the servers 601, 602, 603, and 604, and accordingly, the data processing apparatus is generally disposed in the servers 601, 602, 603, and 604.
It should be understood that the number of networks and servers in fig. 6 is merely illustrative. There may be any number of networks and servers, as desired for implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an acquisition module, a parsing module, a calling module, and a determination module. Where the names of these modules do not in some cases constitute a limitation on the modules themselves, for example, the determination module may also be described as "determining a query result corresponding to a data query request based on the display identifier and the interface return value".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context; analyzing the encryption and decryption context to obtain a display identifier; calling a query interface to obtain an interface return value aiming at the data query request; and determining a query result corresponding to the data query request according to the display identifier and the interface return value.
According to the technical scheme of the embodiment of the invention, the data query request aiming at the query interface is received, the encryption and decryption context in the data query request is analyzed, the display identifier is obtained, and the query result corresponding to the data query request is determined according to the display identifier and the interface return value obtained by calling the query interface. The embodiment of the invention can perform desensitization processing or plaintext display processing on the interface return value by acquiring the display identifier from the encryption and decryption context, realize desensitization or plaintext display of data under the condition of not modifying or adding a new query method, realize rapid desensitization of the data without modifying a large number of source codes, label the sensitive identifier and the grouping identifier for the field and preset encryption rules, realize flexible individualized configuration of desensitization display or plaintext display, and flexibly support service requirements.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of data processing, comprising:
receiving a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context;
analyzing the encryption and decryption context to obtain a display identifier;
calling the query interface to acquire an interface return value aiming at the data query request;
and determining a query result corresponding to the data query request according to the display identifier and the interface return value.
2. The method of claim 1, wherein the display identifier indicates desensitized display, and wherein determining the query result corresponding to the data query request based on the display identifier and the interface return value comprises: for any field in the interface return value, judging whether the field has sensitive identification; if yes, carrying out encryption processing on any field to obtain a field result corresponding to any field; otherwise, taking any field as a field result corresponding to the any field; taking field results corresponding to all the fields as query results corresponding to the data query request;
or the display identifier indicates a plaintext display; determining a query result corresponding to the data query request according to the display identifier and the interface return value, wherein the query result comprises: and taking the interface return value as a query result corresponding to the data query request.
3. The method of claim 2, prior to determining a query result corresponding to the data query request based on the display identifier and the interface return value, comprising: and identifying a field containing sensitive information in the interface return value according to a preset sensitive information reference, and marking a sensitive identification for the field containing the sensitive information.
4. The method of claim 2, wherein determining whether any of the fields has a sensitive identity comprises:
judging whether the data type of the interface return value is a basic data type;
if yes, directly judging whether any field in the interface return value has a sensitive identification;
if not, the interface return value is recursively traversed to judge whether any field in the interface return value has a sensitive identifier.
5. The method of claim 1, wherein the display identifier indicates a plaintext display range, and wherein determining the query result corresponding to the data query request according to the display identifier and the interface return value comprises:
for any field in the interface return value, judging whether the field is in the plaintext display range;
if yes, taking any field as a field result corresponding to the any field; otherwise, judging whether any field has a sensitive identification; if yes, carrying out encryption processing on any field to obtain a field result corresponding to any field; and if not, taking any field as a field result corresponding to the any field, and taking field results corresponding to all the fields as query results corresponding to the data query request.
6. The method of claim 5, wherein the display identifier further comprises a group identifier, and wherein the determining of the query result corresponding to the data query request is performed according to the display identifier and the interface return value, further comprises:
and grouping field results corresponding to each field in the plaintext display range according to the grouping identification.
7. The method of claim 6, wherein prior to determining the query result corresponding to the data query request based on the display identifier and the interface return value, comprising: and grouping fields in the interface return value according to a preset grouping rule, and labeling grouping identifications for the fields.
8. An apparatus for data processing, comprising:
the acquisition module receives a data query request aiming at a query interface, wherein the data query request comprises an encryption and decryption context;
the analysis module is used for analyzing the encryption and decryption context to obtain a display identifier;
the calling module is used for calling the query interface and acquiring an interface return value aiming at the data query request;
and the determining module is used for determining a query result corresponding to the data query request according to the display identifier and the interface return value.
9. An electronic device for data processing, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110972372.0A CN113626847A (en) | 2021-08-24 | 2021-08-24 | Data processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110972372.0A CN113626847A (en) | 2021-08-24 | 2021-08-24 | Data processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113626847A true CN113626847A (en) | 2021-11-09 |
Family
ID=78387410
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110972372.0A Pending CN113626847A (en) | 2021-08-24 | 2021-08-24 | Data processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626847A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150074392A1 (en) * | 2013-09-12 | 2015-03-12 | International Business Machines Corporation | Secure processing environment for protecting sensitive information |
| CN109977690A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团陕西有限公司 | A kind of data processing method, device and medium |
| WO2021051612A1 (en) * | 2019-09-19 | 2021-03-25 | 平安科技(深圳)有限公司 | Automatic data authorization desensitization method, system, device, and storage medium |
| CN112560100A (en) * | 2020-12-22 | 2021-03-26 | 网易(杭州)网络有限公司 | Data desensitization method and device, computer readable storage medium and electronic equipment |
| CN112860749A (en) * | 2021-03-05 | 2021-05-28 | 中国农业银行股份有限公司广州分行 | Data processing method, data processing device, computer equipment and storage medium |
| CN113127915A (en) * | 2021-05-12 | 2021-07-16 | 平安信托有限责任公司 | Data encryption desensitization method and device, electronic equipment and storage medium |
-
2021
- 2021-08-24 CN CN202110972372.0A patent/CN113626847A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150074392A1 (en) * | 2013-09-12 | 2015-03-12 | International Business Machines Corporation | Secure processing environment for protecting sensitive information |
| CN109977690A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团陕西有限公司 | A kind of data processing method, device and medium |
| WO2021051612A1 (en) * | 2019-09-19 | 2021-03-25 | 平安科技(深圳)有限公司 | Automatic data authorization desensitization method, system, device, and storage medium |
| CN112560100A (en) * | 2020-12-22 | 2021-03-26 | 网易(杭州)网络有限公司 | Data desensitization method and device, computer readable storage medium and electronic equipment |
| CN112860749A (en) * | 2021-03-05 | 2021-05-28 | 中国农业银行股份有限公司广州分行 | Data processing method, data processing device, computer equipment and storage medium |
| CN113127915A (en) * | 2021-05-12 | 2021-07-16 | 平安信托有限责任公司 | Data encryption desensitization method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110955914A (en) | Processing method, system, terminal equipment and storage medium of data to be desensitized | |
| CN110471848B (en) | Method and device for dynamically returning message | |
| US9838359B2 (en) | Separation of IoT network thing identification data at a network edge device | |
| CN110427304A (en) | O&M method, apparatus, electronic equipment and medium for banking system | |
| CN111914279B (en) | Efficient and accurate privacy intersection system, method and device | |
| CN111259409A (en) | Information encryption method and device, electronic equipment and storage medium | |
| CN110795741A (en) | Method and device for carrying out security processing on data | |
| CN112256275A (en) | Code obfuscation method, device, electronic device and medium | |
| CN114598671B (en) | Session message processing method, device, storage medium and electronic equipment | |
| CN114925338A (en) | Compiling method, device, equipment, medium and product | |
| CN110334023B (en) | Test flow determining method and device applied to website | |
| CN113626847A (en) | Data processing method and device | |
| CN110990848A (en) | Sensitive word encryption method and device based on hive data warehouse and storage medium | |
| CN109995534B (en) | Method and device for carrying out security authentication on application program | |
| CN113037760B (en) | Message sending method and device | |
| CN105302617A (en) | Method and sever for downloading application program | |
| CN114528545A (en) | Data protection method, device, equipment and storage medium | |
| CN113946862A (en) | Data processing method, device and equipment and readable storage medium | |
| CN113792323A (en) | Sensitive data encryption method and device based on agricultural products and electronic equipment | |
| CN111782678A (en) | Data storage method and device | |
| CN108811036A (en) | Method and apparatus for showing wireless access point information | |
| CN111179079A (en) | Terminal information acquisition method and device, terminal equipment and storage medium | |
| CN111209014A (en) | Parameter checking method and device | |
| CN113535186B (en) | Service application deployment method and device | |
| CN112437052B (en) | Method, apparatus, electronic device, and computer-readable medium for processing information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |